Hi, Do you use DTLS ? it is secure mode of UDP transfer. If you are not using DTLS then you are not vulnerable
regards, James On Mon, Jun 9, 2014 at 6:43 PM, Jaya Nageswar <jaya.nages...@gmail.com> wrote: > Hi All, > > We are currently using openssl 0.9.8 h version in one of our components. I > would like to get some additional information about the vulnerability “DTLS > invalid fragment vulnerability (CVE-2014-0195)”. I could get the > information about all other vulnerabilities that are fixed in 0.9.8 za > except this vulnerability at > https://www.openssl.org/news/vulnerabilities.html > At the above link, it was clearly mentioned about the 0.9.8 versions that > are being affected for each of the vulnerabilities. However I could not > find any information about CVE-2014-0195 here. > > As per my analysis, the DTLS fragment reassembly fixes have been added in > openssl 0.9.8 o as part of “PR 2230:Fix various DTLS fragment reassembly > bugs”. > These fixes does not exist in openssl 0.9.8 h. The vulnerability fix for > “CVE-2014-0195” is part of those fixes that were added in 0.9.8 o version. > > I would like to know if openssl 0.9.8 h is affected for the vulnerability > CVE-2014-0195. Appreciate your quick feedback on this. Thanks in advance. > > regards, > -Jay. >